...
- Attributes enabled for export, within object classes enabled for export.
- Attributes defined by LDAP Schema Plugins and enabled for export.
- If Unconfigured Attribute Mode is Remove, all other defined attributes within object classes enabled for export (including those defined by Schema Plugins).
...
When removing an objectclass (whether via configuration or by disabling LDAP Schema Plugins), keep in mind you may receive schema compliance errors from the LDAP server. This can happen because (eg)
- COmanage had previously included an attribute
foo
in the objectclassfooclass
. - When the objectclass is deconfigured, COmanage will emit a list of objectclasses that no longer includes
fooclass
. - However, the LDAP record still contains the attribute
foo
. COmanage does not touch this attribute because it is not configured to do so. - The LDAP server complains because the record does not contain an objectclass that defines
foo
.
...
Registry CO Person Transaction | LDAP Action | Externally Managed Attributes |
---|---|---|
Add | Add entry to LDAP (if entry already exists it will be deleted and replaced) | Deleted |
Edit | Update configured attributes only | Untouched |
Status Set To Grace Period | No changes (unless attributes change as part of grace period) | Untouched |
Status Set To Expired or Suspended | Update entry to maintain only Person attributes for referential integrity (no Role or Group attributes) | Untouched |
Status Set Back To Active | Restore Role and Group attributes, or add entry to LDAP if not present | Untouched |
Delete, or Status Set To Deleted (or any other status not specified above) | Remove entry from LDAP | Deleted |
Manual Provision | If entry exists: Update configured attributes only Attributes are subject to CO Person and Person Role Status | Untouched |
...
- The objectClass must have no required attributes, since the LDAP Provisioning Plugin will write the initial record with no awareness as to the characteristics of the schema. If the objectClass has any required attributes, the record will fail to be written due to schema violation. (Supporting schemas with required attributes can be done via LDAP Schema Plugins).
- Be aware of the implications of the operations described above. For example, if the LDAP Provisioning Plugin decides to delete an entry from LDAP, the attributes managed by external applications in that entry will also be deleted.
Removing ObjectClasses
When removing an objectclass (whether via configuration or by disabling LDAP Schema Plugins), keep in mind you may receive schema compliance errors from the LDAP server. This can happen because (eg)
- COmanage had previously included an attribute
foo
in the objectclassfooclass
. - When the objectclass is deconfigured, COmanage will emit a list of objectclasses that no longer includes
fooclass
. - However, the LDAP record still contains the attribute
foo
. COmanage does not touch this attribute because it is not configured to do so. - The LDAP server complains because the record does not contain an objectclass that defines
foo
.
In this scenario, it will be necessary to manually clean up the LDAP records to remove foo
before COmanage can update the record.